Bounties

Any registered warden can submit bugs to Code4rena bug bounties.

• Only Critical and High risk issues are acceptable, unless otherwise noted in the bounty repo.

• Coded runnable PoCs are required.

Submitting to a Code4rena bug bounty

• Visit code4rena.com/bounties to see all active bounties.

• Each bounty page outlines the scope and other details for the bounty.

• To submit a finding, use the submission form (linked from the bounty page).

• You will receive an email confirmation that your submission was successful.

Deposit requirements

• Each submission to a Code4rena bug bounty requires a 25 USDC deposit.

• Deposits are paid in‑app only using a connected web3 wallet. When you connect your wallet, the app checks that you have enough ETH for gas and at least 25 USDC on Ethereum mainnet.

• After approving the deposit transaction in your wallet, your submission is automatically finalized.

• Do not send manual or external payments — they cannot be linked to your account and will not be accepted or refunded.

• Refunds:

  • Valid or wontfix submissions → deposit refunded to the same wallet it came from

  • Invalid or spam submissions → deposit is not refunded

Tracking progress on your submission

• Bounty submissions cannot be edited once submitted.

• Bounty submissions do not appear in-app, in the "Your submissions" view.

• All results for C4 bug bounties are communicated through the #c4-bounties channel in the Code4rena Discord server. Bug bounty participants are encouraged to enable notifications for that channel.

• If your bounty submission meets the criteria for a reward, C4 staff will notify you in a private thread in the Code4rena Discord server, to coordinate payment.

Judging process for Code4rena bug bounties

Unless otherwise noted in the bounty's README, bounty submissions are judged by the sponsor team. The following guidelines apply to sponsor-judged bounties.

Sponsor judging responsibilities

Sponsors are responsible for reviewing and assessing submitted findings, and providing a written response indicating their determination, within a timely manner.

Code4rena will make best efforts to share sponsors' written responses with the warden who reported the finding as soon as possible.

Findings which do not receive a sponsor response within 14 days of submission are closed by default.

Appeals process for bounty programs

Wardens may choose to appeal a sponsor's verdict for a Code4rena bounty submission, if they wish to formally contest the assessed validity and/or risk level of one or more findings.

In the event of a judge appeal, with permission from the sponsor, Code4rena staff will select judge(s), affiliated with Code4rena or independent, and the appointed judges will apply the bounty judging criteria to the relevant findings. Code4rena will administer the appeal process at its discretion. Decisions after an appeal are binding and final with respect to a finding’s validity, severity, and remuneration due to the warden who reported the finding.